Это видео недоступно.
Сожалеем об этом.
ASP.NET Core Custom OAuth Server (.NET 7 Minimal Apis C#)
HTML-код
- Опубликовано: 14 авг 2024
- ASP.NET Core custom oauth server tutorial with asp.net core c# minimal api custom oauth server example, working with .net 7, .net 6 and .net 5. Turn your API in to an OAuth Server with the ability to create jwt tokens, allowing for extensions to your service.
Patreon 🤝 / raw_coding
Courses 📚 learning.raw-c...
Shop 🛒 shop.raw-codin...
Discord 💬 / discord
Twitter 📣 / anton_t0shik
Twitch 🎥 / raw_coding
⏭ Console App Authentication • Console App Authentica...
📀 Authentication and Authorization Playlist • ASP.NET Core Authentic...
⏮ ASP.NET Core OAuth Authorization • ASP.NET Core OAuth Aut...
🧐 oauth2.1 rfc: datatracker.ie...
🧐 OAuth Video: • OAuth 2.0 & 2.1 Explained
🧐 JWT Video: • ASP.NET Core JWT Authe...
🕰 Timestamps
00:00 Introduction
02:38 Auth code flow recap
03:08 Dev Keys
03:24 Authorization Endpoint
05:14 Authorization Endpoint Request
06:23 PKCE recap
07:43 Authorization Endpoint Response
08:25 Authorization Code
11:08 Testing Authorization Endpoint
14:08 Token Endpoint Base
15:03 Grant Type
15:40 Token Endpoint Request
17:02 Authorization Endpoint Response
17:40 Creating JWT
19:16 Token Endpoint Extension
19:52 Code Verifier & Code Challenge
21:00 Testing Token Endpoint
21:54 Code Challenge Creation Logic
23:24 Code Verifier Validation
27:23 Mapping Claims
30:16 Validation
#aspnetcore #authentication #oauth2
Fantastic job! ❤🎉
Thank you Scott, means a lot )
Well done, appreciate all the Identity videos, granted the officials doc lacks a lot
Мое почтение, сударь)
Сказку прослушал внимательно)
hey anton, you've already created another identity server, super amazing video I would love to see any small actual example using blazor wasm and webapi with oauth2.1 video !!
Anton, for parsing a query string (will work for any string that looks like a query string), you can use the the System.Web.HttpUtility.ParseQueryString() method.
Looks perfect 👍 thanks for sharing
Thank you Anton great knowledge sharing
Thank you for watching friend!
Very nice video and good explanations!
Quick question: in the token endpoint at 18:03, you set the sub claim to a NewGuid(). What would be the correct implementation if we want to keep track of the user? Should it be added to a new property in the AuthCode class and set during the Authorization endpoint? And then if we want to add other claims, a database lookup should occur in the token endpoint, am I right? Thanks for clarifying this!
Keep the good work :) I hope you'll make an OpenId Connect video soon!
That was awesome.
Question: How do you handle `Challenge` in this case? Like how do you provide login form for the users to sign in if they navigate to [Authorize] pages?
Also how do you provide Consent screen in this setup? Can you please elaborate on that? Maybe create a new video on that? Thank you!
This was very helpful!❤
I live in Latvia and here we have many free courses to help beginners start their IT career
Kur ir?
@@RawCoding I think, I forgot to enter the second part of the sentence😅. It was - "The mentors recommend us to learn from your asp.net videos"
@@RawCoding you just asked "where is?" 😂If you ask about the country, Latvia is located somewhere in Europe. If you want to know the name of the courses, you are especially beloved by "she goes tech" students and mentors. The video where you make a chat is especially popular, because creating a chat is there a final test
I am from Latvia my self, and I was wondering about the free courses ) but I forgot most of the Latvia language by now.
@@RawCoding WOW! Incredible! I feel like I just found my lost brother!😂😳 Maybe that's why Latvians love your tutorials so much - it is easy to understand you, because we think in a little similar way^^ Also I suppose that you are from a Russian speaking family, because only Russian speaking persons use this smile ")" instead of ":)". Am I right?)
The most popular free courses in Latvia are made by Accenture. There are about 160 hours of learning and then the most motivated and talented students can get an internship in Accenture. So if you plan to make a new ASP.NET chat tutorial someday, say hi to Latvian Bootcamp students or to Latvian She Goes Tech students, if you wish to greet only girls😏
Wonderfull entry and intro, LMAO, but good tuto 😂😂
3Q 受益匪浅 @Raw Coding
🫡 comrad
Increíble project , do you have a code example? Or how can get that? Greetings from México
I go nuts. I don't understand how I can read login information in token endpoint so I can load the claims and pass them to client with token. Please help pipez
Great job!
Can I ask you if it is possible, once the web api has been authenticated, at the same time to protect certain actions of the webapi with authorization by checking the token received?
Anyway, congratulations, a truly complete job
Is there any possibility to find this project uploaded on GitHub in the near future?
Спасибо за доходчивое разъяснение материала. Еле смог подписаться на патрионе. Только никак не могу понять с конечной точкой /oauth/custom-cb. У меня ошибка при редиректе. В клиенте не нашел описания и в серверной части тоже
Какая ошибка?
Hi Anton, could you say where did client pass parameters like for example "code_challange" or "code_challange_method" in the AuthorisationEndpoint class?
as pre specification pkce spec: www.rfc-editor.org/rfc/rfc7636#section-4.3
and oauth spec: www.rfc-editor.org/rfc/rfc6749#section-4.1.1
The client constructs the request URI by adding the following
parameters to the query component of the authorization endpoint URI
using the "application/x-www-form-urlencoded" format
so you add these as query parameters to the get request.
Bro, you'r rock! What about the client app logout? I'm trying to make a UI in the authorization server where the user can choose a bunch of client apps and then log in, kinda a sso. If the user log out from authorization server, the cookie in the client still work. I think i am messing up with the concepts pretty hard lol
Your question is really good! You want to have a session checking mechanism, ether a redirect or an http call.
What can I do if I want that the endpoint GET /login be a complete html file including styles, js and more? not just a plain html with two inputs. Thanks in advance!! And great video by the way.
Create the complete html.
Can you help me with this error?
Although, I coded TokenEndpoint endpoint but got error
" The input does not contain any JSON tokens. Expected the input to start with a valid JSON token, when isFinalBlock is true "
Hi great video, can you share the project?
Hi, thank you for the video can you share the code please?
Great video. Thanks for your effort.
I got one question. I want to check for client id and client secret for multiple clients. Where is the best place to validate? Is it login page post handler or Authorization handler? Where can I find the client secret inside authorization url? Thank you in advance
Store client is and secret in a database. And validate them at the authorisation and token endpoints. Read the rfc
@@RawCoding Thank you for your quick reply. In fact I could not find the client secret in the return url received at the authorization end point. I could see the client id. Is there any way to include the client secret with the return url? Thank you very much for your help
Can you open the specification and search for client secret and tell me where in the spec it says to put it in the authorisation endpoint.
nice
Great tutorial !!!! i have one question btw, there is a way in which i can validate the client secret in the server side ?
Check the database, store it like a password.
@@RawCoding thanks for your answer, but I mean, is possible with this example make the machine-machine authorization/authentication ?
What do I do if I protect web api?
what?
@@RawCoding when I added attribute Authorize to my web api endpoint then returnUrl parameter doesn't contain code_challenge and code_challenge_method properties. I didn't add login endpoint to my web api so I didn't call Challenge method. Is it required in web api project?
Watch this video. Learn about all the topics. Then go find a proper implementation, open source or commercial, and use that instead. Never use your own identity management solution for anything that matters. KeyCloak is an excellent option.
Always a safe bet
Does KeyCloak support oauth2.1?
can you share your source code?
your deveky logic has an issue it should be like
public class DevKeys
{
public DevKeys(IWebHostEnvironment env)
{
Rsakey = RSA.Create();
var path = Path.Combine(env.ContentRootPath, "crypto_key");
if(File.Exists(path))
{
// Instead of creating a new rsaKey instance, use the existing Rsakey instance
Rsakey.ImportRSAPrivateKey(File.ReadAllBytes(path), out _);
}
else
{
var privateKey = Rsakey.ExportRSAPrivateKey();
File.WriteAllBytes(path, privateKey);
}
}
public RSA Rsakey { get; }
public RsaSecurityKey RsaSecurityKey => new RsaSecurityKey(Rsakey);
}
Please let me know if I understood wrongly or if you had an issue.